ClawHub

Nuwa World - OSINT Human Research

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about using Nuwa World for face search and research, but it handles sensitive identity data without enough privacy, consent, or data-handling guardrails.

Install only if you intend to send face images and research queries to Nuwa World. Use it for lawful, authorized investigations, confirm each photo or query before submission, avoid images of people without consent or legal basis, and review Nuwa World's privacy, retention, and credit/billing terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README instructs users to upload face images and perform open-web identity research without any privacy, consent, retention, or legal-use warning. Because face images are highly sensitive biometric data, normalizing this workflow without guardrails can lead to unauthorized surveillance, doxxing, or policy-violating use even if the API itself is legitimate.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill explicitly instructs users to upload face images to a third-party API but provides no privacy, consent, retention, or sensitivity warning. Biometric data is highly sensitive, and undocumented transmission to an external service can lead to privacy violations, compliance issues, and misuse if users submit images without informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The deep research feature sends arbitrary user queries to an external API, but the documentation does not warn that prompts may contain sensitive personal, business, or investigative information. This can expose confidential data to a third party and create privacy or confidentiality risks, especially when users assume the query is processed locally.

External Transmission

Medium
Category
Data Exfiltration
Content
`POST /face-search` with multipart form data:

   ```bash
   curl -X POST https://gateway.nuwa.world/api/v1/face-search \
     -H "X-API-Key: $NUWA_API_KEY" \
     -F "image=@photo.jpg"
   ```
Confidence
91% confidence
Finding
curl -X POST https://gateway.nuwa.world/api/v1/face-search \ -H "X-API-Key: $NUWA_API_KEY" \ -F "image=@photo.jpg" ``` Returns `202 Accepted` with a `search_id`. 2. **Poll (cost: 0 c

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal